How to grant su access to wheel without asking for password on FreeBSD?
I would like to grant users of the wheel group (other sysadmins) su access without being asked for password.
I know how to do it with pam in linux, but the question now is for FreeBSD. I am not familiar with the syntax for FreeBSD's PAM subsystem. What shall I enter in /etc/pam.d/su
instead of the default:
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
auth include system
# account
account include system
# session
session required pam_permit.so
Solution 1:
I did some error and trial and the solution for me seems to be like this:
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
auth sufficient pam_group.so no_warn group=wheel root_only fail_safe ruser
auth include system
# account
account include system
# session
session required pam_permit.so
This allows members of the wheel group to su without password, but disallows non-members. (I think the two line can be consolidated into one, but I did not bother that much.)
Solution 2:
sudo
is configured by sudoers file and visudo
should be used to edit.
visudo -f /usr/local/etc/sudoers
Make sure you have this line uncommented:
%wheel ALL=(ALL) NOPASSWD: ALL